commit 5a7f38db82a7b8baa11269bfbe66ad516203d6ac
parent 7db6ed5e38843a190b1f46f4f811d4883d980dc1
Author: spacehobo <spacehobo@web>
Date: Tue, 12 May 2026 18:40:40 +0200
We got wildcard certs up and running
Diffstat:
| M | eik.mdwn | | | 67 | ++----------------------------------------------------------------- |
1 file changed, 2 insertions(+), 65 deletions(-)
diff --git a/eik.mdwn b/eik.mdwn
@@ -45,72 +45,9 @@ However when authentication is required we force `https` like this:
return 301 https://$http_host$request_uri;
}
-We use `acme.sh` for handling certs, however expanding certs with a new domain is still not supported. The workaround is to recreate a whole new cert with all the domains. For instance, as root:
-
- acme.sh --issue --nginx \
- -d eik.permacomputing.net \
- -d top.permacomputing.net \
- -d bitrot.permacomputing.net \
- -d bbs.permacomputing.net \
- -d git.permacomputing.net \
- -d compost.permacomputing.net \
- -d berlin.permacomputing.net \
- -d rotterdam.permacomputing.net \
- -d ireland.permacomputing.net \
- -d brewing.permacomputing.net \
- -d vienna.permacomputing.net \
- -d nyc.permacomputing.net \
- -d enter.permacomputing.net \
- -d newdomain.permacomputing.net
-
- acme.sh --install-cert \
- -d eik.permacomputing.net \
- -d top.permacomputing.net \
- -d bitrot.permacomputing.net \
- -d bbs.permacomputing.net \
- -d git.permacomputing.net \
- -d compost.permacomputing.net \
- -d berlin.permacomputing.net \
- -d rotterdam.permacomputing.net \
- -d ireland.permacomputing.net \
- -d brewing.permacomputing.net \
- -d vienna.permacomputing.net \
- -d nyc.permacomputing.net \
- -d enter.permacomputing.net \
- -d newdomain.permacomputing.net \
- --key-file /etc/nginx/certs/key.pem \
- --fullchain-file /etc/nginx/certs/cert.pem \
- --reloadcmd "systemctl force-reload nginx"
-
-This can be automated by adding the new domain to the `Le_Alt` line of `eik.permacomputing.net_ecc/eik.permacomputing.net.conf` and running something like the following:
-
- acme.sh --issue --nginx $(acme.sh --list | awk '$1 == "eik.permacomputing.net" {split($3,names,",");for(name in names){ printf "-d %s ", names[name]}}')
- acme.sh --install-cert $(acme.sh --list | awk '$1 == "eik.permacomputing.net" {split($3,names,",");for(name in names){ printf "-d %s ", names[name]}}') --key-file /etc/nginx/certs/key.pem --fullchain-file /etc/nginx/certs/cert.pem --reloadcmd "systemctl force-reload nginx"
-
-Our `acme.sh` makes use of letsencrypt CA servers, as the default one from ZeroSSL keeps on being fussy. The setting was changed like this:
-
- acme.sh --set-default-ca --server letsencrypt
-
-Removing a cert is a slightly trickier. We think [this](https://community.letsencrypt.org/t/domain-is-not-a-issued-domain-skip/132337/5) might work. You edit a file in the `~/.acme.sh` by hand 😬
-
-### Wildcard certs
-
-Of course, all of this was unwieldy and brittle, and it seems none of it works now that we have rauthy set up in our nginx configs for some hosts. So maybe it's time for a wildcard cert, using [DNS Persist Mode](https://github.com/acmesh-official/acme.sh/wiki/DNS-persist-mode):
-
- acme.sh --make-dns-persist-value -d permacomputing.net --dns-persist-wildcard
-
-
-This printed out a `TXT` record to add to DNS, which you can see by running:
-
- dig TXT _validation-persist.permacomputing.net
-
-Then we issued the first cert:
-
- acme.sh --issue -d permacomputing.net -d '*.permacomputing.net' --dns-persist -k ec-384 --force
-
- acme.sh --renew --ecc -d permacomputing.net --force
+We use `acme.sh` for handling certs, using [the GANDI DNS API subsystem](https://github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_gandi_livedns) to issue and renew our wildcard cert.
-then we're suddenly all sites, and could even set up per-user sites with a single nginx config.
+This relies on an environment variable in `/root/.acme.sh/acme.sh.env` called `GANDI_LIVEDNS_TOKEN`. This token expires every year, and must be renewed in the first week of May.
cerca
